Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape regex characters in object search pattern (#2676) #2904

Closed
wants to merge 1 commit into from
Closed

Escape regex characters in object search pattern (#2676) #2904

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion kinto/core/permission/memory.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ def get_accessible_objects(self, principals, bound_permissions=None, with_childr
else:
for pattern, perm in bound_permissions:
id_match = ".*" if with_children else "[^/]+"
regexp = re.compile(f"^{pattern.replace('*', id_match)}$")
regexp = re.compile(f"^{re.escape(pattern).replace('*', id_match)}$")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call! But I suspect that this is also escaping patterns that we use internally to match multiple objects.

I think this could be done around here instead maybe:

kinto/kinto/core/authorization.py

Lines 236 to 261 in f27fb5a

def get_permission_object_id(self, request, object_id=None):
"""Returns the permission object id for the current request.
In the nominal case, it is just the current URI without version prefix.
For plural endpoint, it is the related object URI using the specified
`object_id`.
See :meth:`kinto.core.resource.model.SharableModel` and
:meth:`kinto.core.authorization.RouteFactory.__init__`
"""
object_uri = utils.strip_uri_prefix(request.path)
if self.on_plural_endpoint and object_id is not None:
# With the current request on a plural endpoint, the object URI must
# be found out by inspecting the "plural" service and its sibling
# "object" service. (see `register_resource()`)
matchdict = {**request.matchdict, "id": object_id}
try:
object_uri = utils.instance_uri(request, self.resource_name, **matchdict)
object_uri = object_uri.replace("%2A", "*")
except KeyError:
# Maybe the resource has no single object endpoint.
# We consider that object URIs in permissions backend will
# be stored naively:
object_uri = f"{object_uri}/{object_id}"
return object_uri

for key, value in self._store.items():
if key.endswith(perm):
object_id = key.split(":")[1]
Expand Down
14 changes: 14 additions & 0 deletions tests/core/resource/test_object_permissions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,20 @@ def test_permissions_are_hidden_if_user_has_only_read_permission(self):
self.assertEqual(result["permissions"], {})


class GetObjectsPermissionTest(PermissionTest):
def setUp(self):
super().setUp()
self.object_id = ")EFg9=)%5E(M~%2037"
self.object_uri = "/articles/{}".format(self.object_id)
self.perm = "read"
self.permission.add_principal_to_ace(self.object_uri, self.perm, "account:readonly")

def test_get_objects_permissions_escapes_regex_chars_in_id(self):
principals = self.permission.get_object_permission_principals(self.object_uri, self.perm)
result = self.permission.get_accessible_objects(principals, [(self.object_uri, self.perm)])
self.assertEqual(result, {self.object_uri: {self.perm}})


class SpecifyObjectPermissionTest(PermissionTest):
def setUp(self):
super().setUp()
Expand Down